1. Field of the Invention
The present invention relates generally to computer networking and computer software.
2. Description of the Background Art
Computer Viruses and Virus Throttling
Malicious forms of computer code include computer viruses. A computer virus is typically able to copy itself and infect a host computer. The virus may be spread from host computer to host computer by way of a network or other means. Antivirus software typically runs on a computer host so as to attempt to protect the computer host from becoming infected. Antivirus software typically uses signature-based techniques.
Virus throttling or connection-rate filtering is a technique for containing the damage caused by fast-spreading worms and viruses. Rather than attempting to prevent a computer host from becoming infected, virus throttling inhibits the spreading of the worm or virus from an infected machine. This reduces damage because the worm or virus is able to spread less quickly, and this also reduces the network traffic caused by such worms and viruses.
Virus throttling is based on controlling an infected machine's network behavior, and so does not rely on details of the specific virus. In other words, a virus signature is not needed to implement virus throttling. Although virus throttling does not prevent infection in the first place, it helps to contain damage by restricting the spread of the virus. With such throttling, a virus or worm outbreak will grow less rapidly, and the network load will be reduced. Further, by damping down the spread of the virus or worm, the throttling buys time for signature-based solutions to reach machines before the virus or worm.
Virus throttling technology has been implemented, for example, in the ProCurve® Switch 5300xl available from the Hewlett Packard Company. Virus throttling typically works by monitoring connection requests at the networking layer 3 or layer 2 levels. When a given host exceeds a certain number of unique connection requests within a specific amount of time, the networking device may consider this host to be infected by malicious code (such as a virus or worm) and may take appropriate actions.